Author: foliovision

Alerts (0)

No open alerts.

Show 3 resolved alerts

Critical code_pattern FV Player 8 Resolved · benign_architectural_concern 2d ago

Slug	fv-player
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`8.1.4`
Hit count	1
First hit	File `includes/fp-api-private.php` Line 249 Snippet L239: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L249: $response = @unserialize( preg_replace( '~^/\[\s\S]?\*/\s+~', '', $raw_respons
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "fv-player",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "8.1.4",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/fp-api-private.php",
        "line": 249,
        "snippet": "L239: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L249: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Critical code_pattern FV Flowplayer Video Player Resolved · benign_architectural_concern 2d ago

Slug	fv-wordpress-flowplayer
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`7.5.49.7212`
Hit count	1
First hit	File `includes/fp-api-private.php` Line 397 Snippet L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\[\s\S]?\*/\s+~', '', $raw_respons
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "fv-wordpress-flowplayer",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "7.5.49.7212",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/fp-api-private.php",
        "line": 397,
        "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Critical code_scan_delta FV Flowplayer Video Player Resolved · false_positive_cdn_known_good 2d ago

Slug fv-wordpress-flowplayer

Previous version 7.5.49.7212

Current version 7.5.49.7212

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`includes/fp-api-private.php`	397	L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\[\s\S]?\*/\s+~', '', $raw_respons	`high`

New finding count 1

View raw JSON

{
    "slug": "fv-wordpress-flowplayer",
    "previous_version": "7.5.49.7212",
    "current_version": "7.5.49.7212",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/fp-api-private.php",
            "line": 397,
            "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

Plugins authored (28)

Plugin	Version	Installs	Last updated	Status
FV Top Level Categories ·`fv-top-level-cats`	1.9.1	20k+	8mo ago	Active
FV Flowplayer Video Player ·`fv-wordpress-flowplayer`	7.5.49.7212	20k+	1mo ago	Active
FV Clone Screen Options ·`fv-clone-screen-options`	0.5	2k+	1y ago	Active
FV Simpler SEO ·`fv-all-in-one-seo-pack`	1.9.7	2k+	4mo ago	Active
FV Player 8 ·`fv-player`	8.1.4	1k+	1mo ago	Active
FV Antispam ·`fv-antispam`	2.8	900	5mo ago	Active
FV Gravatar Cache ·`fv-gravatar-cache`	0.5	700	11mo ago	Active
WP Mail SMTP SendGrid Edition ·`wp-mail-smtp-sendgrid-edition`	1.4.0	500	1y ago	Active
Foliopress WYSIWYG ·`foliopress-wysiwyg`	2.6.18	200	1y ago	Active
FV Thoughtful Comments ·`thoughtful-comments`	0.4.1	80	1y ago	Active
FV Descriptions ·`fv-descriptions`	1.9.7	70	4mo ago	Active
Subscribe to Comments Reloaded Better Unsubscribe ·`subscribe-to-comments-reloaded-better-unsubscribe`	0.9.8	40	9y ago	Active
BusinessPress ·`businesspress`	1.5	40	2mo ago	Active
Filled In ·`filled-in`	1.9.6	20	5mo ago	Active
FV Feedburner Replacement ·`fv-feedburner-replacement`	0.4.3	20	7y ago	Active
FV Swiftype ·`fv-swiftype`	0.3.8	10	4y ago	Active
FV Testimonials ·`fv-testimonials`	1.13	10	9y ago	Active
Typewriter ·`typewriter`	1.0	10	12y ago	Active
FV bbPress Tweaks ·`fv-bbpress-tweaks`	0.2.7.4	10	7y ago	Active
foliovision-clone-screen-options ·`foliovision-clone-screen-options`	—	—	—	Closed
filled-in-which-works ·`filled-in-which-works`	—	—	—	Closed
FV WP Link Robot ·`wp-link-robot`	0.6.11	—	—	Closed
fv-forms ·`fv-forms`	—	—	—	Closed
FV Simpler SEO Pack ·`fv-simpler-seo-pack`	1.6.8	—	—	Closed
Please remove this one ·`fv-top-level-categories`	—	—	—	Closed
fv-universal-thumbnailer ·`fv-universal-thumbnailer`	—	—	—	Closed
fv-video-player ·`fv-video-player`	—	—	—	Closed
seo-images ·`seo-images`	—	—	—	Closed

SVN commit access (8)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin	Primary author	Installs	Commits	First	Latest	Status
FV Flowplayer Video Player	foliovision	20k+	500	10y ago	1mo ago	Active
FV Simpler SEO	foliovision	2k+	115	16y ago	4mo ago	Active
FV Antispam	foliovision	900	80	15y ago	5mo ago	Active
FV Player 8	foliovision	1k+	57	1y ago	1mo ago	Active
FV Top Level Categories	foliovision	20k+	48	15y ago	8mo ago	Active
FV Gravatar Cache	foliovision	700	48	15y ago	11mo ago	Active
FV Clone Screen Options	foliovision	2k+	33	16y ago	1y ago	Active
WP Mail SMTP SendGrid Edition	foliovision	500	10	8y ago	1y ago	Active

FolioVision

Alerts (0)

Plugins authored (28)

SVN commit access (8)